JP2017062669A - Security control device, security control system, security control method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a security control device capable of fine-tuned security control while reducing a load on a manager.SOLUTION: A communication unit 701 receives identification information to identify an improper device that has performed improper communication among information processing devices connected with a monitoring object network. A control unit 703 transmits isolation instructions to give instructions to execute an isolation process to isolate the improper device from a network to the improper device identified by using the identification information received by the communication unit 701.SELECTED DRAWING: Figure 3

Description

  The present invention relates to a security technique for protecting an internal network.

  As security technology for protecting an internal network such as a LAN (Local Area Network), conventionally, using a FW (Firewall) device, an IDS (Intrusion Detection System) or a proxy server, Perimeter security technology that blocks intrusion of unauthorized communication data into an internal network has been used.

  However, in recent years, targeted attacks by malicious programs called malware frequently occur, and accordingly, further enhancement of internal security technology is required. In addition, when a device in the internal network is infected with malware that performs a targeted attack, unauthorized communication such as confidential information being transmitted to the outside without permission is performed by the infected device, or in the internal network Infect other devices with malware.

  As a conventional security technique against a targeted attack, there is known a technique for identifying a terminal performing unauthorized communication and notifying an administrator of an internal network or the like. In this case, the administrator who has received the notification has to go to the installation location of the terminal performing unauthorized communication and disconnect the terminal communication by disconnecting the LAN cable or the like from the terminal. For this reason, there is a problem that the burden on the administrator is heavy depending on the number of terminals that perform unauthorized communication and the installation location.

  On the other hand, the communication management device described in Patent Document 1 identifies a terminal that has performed unauthorized communication, and blocks communication of a network switch device connected to the identified terminal. For this reason, even if the administrator does not go to the place where the terminal is installed, unauthorized communication can be blocked, and the burden on the administrator can be reduced.

JP 2010-233153 A

  However, since a plurality of terminals are normally connected to the network switch device, in the technique described in Patent Document 1, if communication of a network switch device connected to an unauthorized terminal that performed unauthorized communication is blocked, In some cases, communication with terminals other than unauthorized terminals connected to the network switch device is blocked. For this reason, there is a problem that fine security control cannot be performed.

  An object of the present invention is to provide a security control device, a security control system, a security control method, and a program capable of performing fine security control while reducing the burden on an administrator.

  A security control device according to the present invention includes: a communication unit that receives identification information that identifies an unauthorized device that has performed unauthorized communication among information processing devices connected to a monitored network; and the identification information received by the communication unit. And a control unit that transmits a quarantine instruction for instructing execution of a quarantine process for quarantine from the network.

  A security control system according to the present invention is a security control system including an information processing device connected to a network to be monitored and a security control device that controls the security of the network, and the security control device is connected to the network. A communication unit that receives identification information that identifies an unauthorized device that performed unauthorized communication among connected information processing devices, and an unauthorized device that is identified by the identification information received by the communication unit, from the network A control unit that transmits a quarantine instruction that instructs execution of a quarantine process to be quarantined, and the information processing apparatus receives the quarantine instruction, and when the receiving unit receives the quarantine instruction, And a processing unit that executes the isolation process.

  The security control method according to the present invention is specified by the step of receiving identification information for identifying an unauthorized device that has performed unauthorized communication among information processing devices connected to a monitored network, and the identification information received. Transmitting a quarantine instruction to instruct execution of a quarantine process for quarantine from the network.

  A program according to the present invention is specified by a procedure for receiving identification information for identifying an unauthorized device that has performed unauthorized communication among information processing devices connected to a network to be monitored, and the received identification information. And a procedure for transmitting a quarantine instruction to instruct execution of a quarantine process for quarantine from the network.

  According to the present invention, it is possible to perform fine security control while reducing the burden on the administrator.

It is a figure which shows the security control system of the 1st Embodiment of this invention. It is a block diagram which shows the structural example of an asset management server. It is a block diagram which shows the structural example of an internal security control apparatus. It is a block diagram which shows the structural example of a terminal. It is a sequence diagram for demonstrating an example of operation | movement of the security control system of the 1st Embodiment of this invention. It is a sequence diagram for demonstrating the other example of operation | movement of the security control system of the 1st Embodiment of this invention.

  Embodiments of the present invention will be described below with reference to the drawings. In addition, in each drawing, the same code | symbol is attached | subjected to what has the same function, and the description may be abbreviate | omitted.

  FIG. 1 is a diagram showing a security control system according to the first embodiment of this invention. In FIG. 1, the security control system includes an asset management server 1, a removal program providing device 2, a FW device 3, a proxy server 4, a restricted proxy server 5, a target attack monitoring device 6, and an internal security control device. 7 and terminals 8A to 8C. These devices may be configured with dedicated devices or servers, or may be configured with general-purpose computers or the like. Examples of general-purpose computers include personal computers, tablet computers, and smartphones.

  The asset management server 1 and the removal program providing device 2 are connected to an external network 11, and the proxy server 4, the restricted proxy server 5, the targeted attack monitoring device 6, and the internal security control device 7 are a DMZ (DeMilitarized Zone) 12. And the terminals 8 </ b> A to 8 </ b> C are connected to the internal network 13. The external network 11 is, for example, the Internet. The internal network 13 is a LAN, for example. Further, the external network 11, the DMZ 12, and the internal network 13 may be a wired network or a wireless network.

  The DMZ 12 is a network that is installed between the external network 11 and the internal network 13 and is isolated from the external network 11 and the internal network 13 by the FW device 3. Although communication from the external network 11 is put into the DMZ 12, direct communication from the external network 11 to the internal network 13 is not possible. Further, communication from the internal network 13 is put into the DMZ 12, but direct communication from the internal network 13 to the external network 11 is not possible. When communicating from the internal network 13 to the external network 11, communication is performed via the proxy server 4 or the restricted proxy server 5. Specifically, the external network 11, DMZ 12, and internal network 13 are each isolated from other networks by the FW device 3. The DMZ 12 and the internal network 13 are preferably physically separated from each other by the FW device 3 as described above. However, the DMZ 12 and the internal network 13 may be logically separated from each other using a virtual LAN or the like, or may be the same network. Good. Further, the FW device 3 may be provided between the external network 11 and the DMZ 12 and between the DMZ 12 and the internal network 13.

  The asset management server 1 is a management device that manages the terminals 8A to 8C, and has a function of transferring various instructions from the internal security control device 7 to the terminals 8A to 8C, and responses from the terminals 8A to 8C to these instructions. The various notifications are transferred to the internal security control device 7. FIG. 2 is a block diagram illustrating a configuration example of the asset management server 1. As shown in FIG. 2, the asset management server 1 includes a server communication unit 101 and a management unit 102.

  The server communication unit 101 receives various instructions from the internal security control device 7 for the infected terminal that is the terminal that performed unauthorized communication among the terminals 8A to 8C. The instructions include an isolation instruction for instructing execution of an isolation process for isolation from the internal network 13, a removal instruction for instructing execution of a removal process for removing an unauthorized program that performs unauthorized communication, and an internal network 13 for an infected terminal. There is a quarantine release instruction that instructs execution of a quarantine release process for releasing quarantine from the quarantine. In addition, the server communication unit 101 sends, as a response to the above instruction from the infected terminal, a quarantine process result notification indicating a quarantine process result, a disinfection process result notification indicating a disposition process result, and a quarantine release process process A release processing result notification indicating the result is received.

  An infected terminal is a terminal in which a malicious program may be installed, and is sometimes called an unauthorized device. The quarantine instruction, the removal instruction, and the quarantine release instruction include identification information that identifies the infected terminal. The identification information is an IP address in this embodiment, but other information such as a MAC (Media Access Control) address or a host name may be used instead of the IP address. The isolation instruction may further indicate the type of isolation processing to be executed. Specifically, the quarantine instruction includes type information indicating the type of the quarantine process, and indicates the type indicated by the type information as the type of quarantine process to be executed. A more detailed description of the type of isolation processing will be described later. The removal instruction is for instructing execution of a removal process for removing a malicious program by a removal program for removing a malicious program, and includes storage location information indicating a storage location where the removal program is stored. In this embodiment, the storage location information is a URL (Uniform Resource Locator), but may be other information.

  When the server communication unit 101 receives the isolation instruction, the management unit 102 transmits the isolation instruction as an isolation command to the infected terminal specified by the IP address in the isolation instruction. When the server communication unit 101 receives the removal instruction, the management unit 102 transmits the removal instruction as a removal instruction to the infected terminal specified by the IP address in the removal instruction. When the server communication unit 101 receives the isolation release instruction, the management unit 102 transmits the isolation release instruction as an isolation release instruction to the infected terminal specified by the IP address in the isolation release instruction. The quarantine command, the removal command, and the quarantine release command may include an IP address that identifies the infected terminal, or the management unit 102 excludes the IP address that identifies the infected terminal. Also good. In order for the management unit 102 to transmit various commands such as a quarantine command, a removal command, and a quarantine release command to the terminals 8A to 8C including the infected terminal, for example, the asset management server 1 sends the terminal 8A to the FW device 3. The terminal 8A to 8C is allowed to communicate in advance to the terminal 8C, or the terminals 8A to 8C are set to acquire various commands at a predetermined timing (for example, periodically, at a predetermined time or at startup). It is necessary to leave. However, in this embodiment, for simplification of description, it is assumed that the management unit 102 simply transmits various commands.

  When the server communication unit 101 receives the quarantine processing result notification, the management unit 102 acquires the IP address of the infected terminal that is the transmission source of the quarantine processing result notification, and sends the quarantine processing result notification including the IP address to the internal security It transmits to the control apparatus 7. When the server communication unit 101 receives the removal process result notification, the management unit 102 acquires the IP address of the infected terminal that is the transmission source of the removal process result notification, and sends the removal process result notification including the IP address to the internal security It transmits to the control apparatus 7. When the server communication unit 101 receives the release processing result notification, the management unit 102 acquires the IP address of the infected terminal that is the transmission source of the release processing result notification, and sends the release processing result notification including the IP address to the internal security. It transmits to the control apparatus 7.

  The removal program providing device 2 is a providing device that provides a removal program. Specifically, the removal program providing device 2 stores the removal program and receives the removal program request for obtaining the removal program from the internal security control device 7, and then stores the removal program stored in the internal security control device. 7 to send.

  At this time, the removal program providing apparatus 2 may authenticate the transmission source of the removal program request and transmit the removal program when the authentication is successful. For example, the removal program providing apparatus 2 stores in advance authentication information for authenticating the transmission source of the removal program request, and collates the stored authentication information with the authentication information included in the removal program request. Then, the removal program providing apparatus 2 determines that the authentication is successful if the authentication information matches, and determines that the authentication fails if the authentication information does not match. The authentication information is not particularly limited, and is, for example, a combination of a user ID that specifies an administrator of the internal security control device 7 and a password.

  The FW device 3 separates the external network 11, the DMZ 12 and the internal network 13. Since the FW device 3 is a technique well known to those skilled in the art, a detailed description thereof is omitted.

  The proxy server 4 and the restricted proxy server 5 are relay devices that relay communication between the terminals 8A to 8C. The proxy server 4 and the restriction proxy server 5 have a policy that defines the communication destinations of the terminals 8A to 8C, and restrict the communication destinations of the terminals 8A to 8C to communication destinations that conform to the policy. The policy of the proxy server 4 is not particularly limited. For example, the policy of the proxy server 4 may be one that does not limit the communication destinations of the terminals 8A to 8C (allows all communication destinations), or communication with a predetermined device such as a server that provides data that is contrary to public order and morals. You may not allow. The restriction proxy server 5 has a policy for restricting the communication destinations of the terminals 8A to 8C to specific devices. The specific device is the asset management server 1 in this embodiment. Note that the proxy server 4 and the restricted proxy server 5 may be configured as separate devices, may be configured as the same device, and may be distinguished by a policy.

  The target-type attack monitoring device 6 monitors unauthorized communication in the internal network 13 that is a network to be monitored, and detects an infected terminal that is a terminal that performed unauthorized communication among the terminals 8A to 8C connected to the internal network 13. Identify. Specifically, the target-type attack monitoring device 6 transmits data transmitted from the terminals 8A to 8C and passes through network devices such as the FW device 3 and a router (not shown), and the transmission data is illegal data. Determine whether or not. When the target-type attack monitoring device 6 determines that the transmission data is illegal data, the target-type attack monitoring device 6 identifies the terminal that transmitted the transmission data as an infected terminal. When the target-type attack monitoring device 6 identifies the infected terminal, the target-type attack monitoring device 6 transmits an alert to the internal security control device 7 indicating that unauthorized communication has been detected. The alert includes the IP address of the infected terminal.

  The internal security control device 7 is a security control device that controls the security of the internal network 13. FIG. 3 is a block diagram illustrating a configuration example of the internal security control device 7. The internal security control device 7 illustrated in FIG. 3 includes a communication unit 701, a storage unit 702, and a control unit 703.

  The communication unit 701 receives an alert from the target attack monitoring device 6, receives a quarantine processing result notification, a removal processing result notification, and a release processing result notification from the asset management server 1, and receives a removal program from the removal program providing device 2. Then, the removal program request is received from the terminals 8A to 8C. Since the alert includes the IP address of the infected terminal, the communication unit 701 receives an IP address that is identification information for identifying the infected terminal.

  The storage unit 702 stores authentication information for authenticating the internal security control device 7 by the removal program providing device 2 and the contact information of the administrator of the internal security control device 7. The contact address is, for example, an e-mail address.

  When the communication unit 701 receives the alert, the control unit 703 transmits an isolation instruction via the asset management server 1 to the infected terminal specified by the IP address in the alert. At this time, the control unit 703 may instruct the infected terminal of the type of the isolation process executed by the infected terminal by including type information indicating the type of the isolation process in the isolation instruction.

  When the communication unit 701 receives the isolation process result notification, the control unit 703 checks whether or not the isolation process result notification indicates the success of the isolation process. When the quarantine process has failed, the control unit 703 transmits a quarantine error notification indicating that the quarantine process has failed to the administrator's contact information stored in the storage unit 702. Note that the isolation error notification desirably includes identification information such as the IP address of the infected terminal.

  If the quarantine process is successful, the control unit 703 provides the removal program to the infected terminal. Specifically, first, the control unit 703 transmits a removal program request to the removal program providing apparatus 2. At this time, when the removal program providing apparatus 2 performs authentication, the control unit 703 includes the authentication information stored in the storage unit 702 in the removal program request.

  Subsequently, when the communication unit 701 receives the removal program, the control unit 703 stores the removal program in a predetermined storage location and acquires a URL indicating the storage location. Then, the control unit 703 transmits a removal instruction to the infected terminal specified by the IP address in the alert via the asset management server 1. Thereafter, when the communication unit 701 receives a removal program request, the control unit 703 provides the stored removal program to the infected terminal. In this embodiment, the storage location of the removal program is the storage unit 702, but is not limited to this example. For example, a storage device that stores the removal program may be provided separately from the internal security control device 7.

  When the communication unit 701 receives the removal process result notification, the control unit 703 determines whether or not the removal process result notification indicates that the malicious program is not detected or the removal process is successful. When the malicious program is not detected, the control unit 703 transmits a cancellation instruction via the asset management server 1 to the infected terminal specified by the IP address in the removal process result notification. When a malicious program is detected and the removal process fails, the control unit 703 performs at least one of the following first process and second process. If a malicious program is detected and the removal process is successful, the control unit 703 sends a cancellation instruction to the infected terminal specified by the IP address in the removal process result notification via the asset management server 1. The control unit 703 may perform at least one of the following first processing and second processing.

  In the first process, the control unit 703 again sends an isolation instruction to the infected terminal via the asset management server 1, thereby instructing the infected terminal to execute the isolation process again. At this time, the control unit 703 preferably instructs the infected terminal to execute the predetermined removal process by including the type information indicating the predetermined isolation process in the isolation instruction. The predetermined removal process is an isolation process having a high isolation strength, which is an intensity for isolating an infected terminal from the internal network 13, and specifically, a driver deletion process for deleting a network driver described later.

  In the second process, the control unit 703 transmits a removal error notification indicating that the removal process has failed to the administrator's contact information stored in the storage unit 702. The removal error notification desirably includes the IP address of the infected terminal (the IP address in the removal processing result notification).

  When the communication unit 701 receives the release processing result notification, the control unit 703 determines whether the release processing result notification indicates success of the quarantine release processing. When the isolation release process is successful, the control unit 703 ends the process. When the quarantine release process has failed, the control unit 703 transmits a release error notification indicating that the quarantine release process has failed to the administrator's contact information stored in the storage unit 702. The release error notification desirably includes the IP address of the infected terminal (IP address in the release processing result notification).

  The terminals 8A to 8C are information processing apparatuses connected to the internal network 13. In addition to the terminals 8A to 8C or in place of the terminals 8A to 8C, other devices such as a server may be used as the information processing apparatus. Further, the number of terminals (information processing devices) is not particularly limited.

  The terminals 8A to 8C all have the same configuration. Therefore, hereinafter, the configuration of the terminals 8A to 8C will be described by taking the terminal 8A as an example. FIG. 4 is a block diagram illustrating a configuration example of the terminal 8A. The terminal 8A illustrated in FIG. 4 includes a terminal communication unit 801, a terminal storage unit 802, and a processing unit 803.

  The terminal communication unit 801 is a receiving unit that receives a quarantine command, a removal command, and a quarantine release command from the asset management server 1. Further, the terminal communication unit 801 receives a removal program from the internal security control device 7.

  The terminal storage unit 802 stores communication setting information for the terminal 8A to perform communication and an agent that is a program that defines the operation of the processing unit 803. In this embodiment, the communication setting information includes proxy setting information indicating a proxy server that relays communication of the terminal 8A, and a network driver. The proxy setting information is a setting file related to the proxy server in the registry, a current automatic proxy configuration file in the local network setting, or the like.

  The processing unit 803 is, for example, a CPU (Central Processing Unit), reads an agent stored in the terminal storage unit 802, develops the read program in a RAM (not shown), and executes the following. Process. The agent is preferably a resident program that is executed when the terminal 8A is activated.

  When the terminal communication unit 801 receives the isolation command, the processing unit 803 executes isolation processing for isolating the terminal 8A from the internal network 13, and sends an isolation processing result notification indicating the processing result via the asset management server 1. Transmit to the internal security control device 7. The types of isolation processing include, for example, change processing for changing proxy setting information stored in the terminal storage unit 802 to predetermined information, deletion processing for deleting proxy setting information, and restriction processing for restricting execution of predetermined communication functions A driver deletion process for deleting a network driver is given. The processing unit 803 may execute a plurality of types of isolation processing.

  In the change process, the processing unit 803 may change the definition of the proxy server described in the proxy server setting file in the registry, or the proxy server described in the current automatic proxy configuration file in the local network setting. The definition of may be changed. The proxy setting information indicates the proxy server 4 before being changed by the changing process. Examples of the predetermined information that is the proxy setting information after the change include information indicating the restricted proxy server 5, information indicating a fictitious proxy server that does not exist, and a predetermined character string that does not make sense as the definition of the proxy server. Note that the definition of the proxy server is represented by a URL, a server name (ProxyServername), or the like.

  The deletion process may delete the proxy server definition described in the proxy server configuration file in the registry, or delete the proxy server definition described in the current automatic proxy configuration file in the local network settings. May be. The restriction process restricts, for example, execution of an application that performs communication such as a browser or mailer as a predetermined function, execution of a function related to communication of an application such as acquisition of a web page or transmission of an e-mail (for example, ,Ban. The function restricted by the restriction process may be determined in advance, may be determined by searching for an application with which the processing unit 803 performs communication, and is instructed from the asset management server 1 or the internal security control device 7. May be.

  In the restriction process, it is difficult to prevent unauthorized communication when an unauthorized program communicates directly. In the deletion process, another proxy server may be automatically selected. The isolation strength that is the strength for isolation from the network 13 is relatively low. On the other hand, in the change process and the driver deletion process, the isolation strength is high, and particularly in the driver deletion process. In the quarantine process, it is desirable that the processing unit 803 backs up the proxy setting information or network driver to be changed or deleted in the terminal storage unit 802 as backup information.

  When the terminal communication unit 801 receives the removal instruction, the processing unit 803 acquires the removal program from the storage location indicated by the URL in the removal instruction, and stores the removal program in the terminal storage unit 802. In the present embodiment, since the URL indicates the internal security control device 7, the processing unit 803 transmits a removal program request to the internal security control device 7, and then acquires the removal program received by the terminal communication unit 801. .

  The processing unit 803 executes a stored removal program, operates according to the removal program, executes a removal process for removing an unauthorized program, and notifies the asset management server 1 of a removal processing result notification indicating the processing result. To the internal security control device 7. The removal process includes a process for detecting a malicious program and a process for actually removing the detected malicious program. The removal process result notification indicates whether a malicious program has been detected and whether the detected malicious program has been successfully removed.

  As an example in which an unauthorized program is not detected, for example, an advertisement is included in a Web page displayed by a Web browser, and some communication is made toward the external network 11 only while the advertisement is displayed. When the display of the advertisement is finished, the communication is stopped. In this case, even if a malicious program is not installed on the terminal 8A, unauthorized communication may be detected by the target-type attack monitoring device 6, but the malicious program is not installed on the infected terminal. The processing result notification indicates non-detection of a malicious program.

  When the terminal communication unit 801 receives the quarantine release command, the processing unit 803 executes the quarantine release process for releasing the quarantine from the internal network 13 of the terminal 8A, and sends a release process result notification indicating the process result to the asset management It transmits to the internal security control device 7 via the server 1. The isolation release process is a process for returning the proxy setting information and the network driver to the state before the isolation process based on the proxy setting information and the network driver backed up in the terminal storage unit 802.

  For example, when change processing or deletion processing is performed as quarantine processing, the processing unit 803 stores the proxy server setting file in the registry or the current automatic proxy configuration file in the local network setting in the proxy setting information stored as backup information. return. Further, when the restriction process is performed as the isolation process, the processing unit 803 cancels the restriction on the execution of the communication function. When the driver deletion process is performed as the isolation process, the processing unit 803 returns the network driver stored as the backup information to the network driver used for communication. In the case where the proxy setting information and the network driver are common to the terminals 8A to 8C, instead of the processing unit 803 backing up the proxy setting information and the network driver, the proxy setting information and the network driver used by the terminals 8A to 8C are used. You may memorize | store in the asset management server 1 or the internal security control apparatus 7 previously. In this case, the processing unit 803 downloads proxy setting information and a network driver from the asset management server 1 and the internal security control device 7 in the quarantine cancellation process, and proxy setting information based on the downloaded proxy setting information and network driver. Or return the network driver to the state before the quarantine process.

  The processing unit 803 includes asset information such as user names and MAC addresses for identifying the users of the terminals 8A to 8C, function information indicating a communication function using a USB (Universal Serial Bus) terminal of the terminal 8A, and the like. It may have a function of acquiring information such as various setting information such as registry setting information and transmitting it to the asset management server 1. In this case, the management unit 102 of the asset management server 1 may acquire the information transmitted from the processing unit 803 and transmit a part or all of the information to the internal security control device 7 at a predetermined timing. . The predetermined timing is, for example, the timing at which the server communication unit 101 receives the isolation instruction, the timing at which the isolation processing result notification, the removal processing result notification, or the release processing result notification is transmitted.

  Next, the operation will be described. FIG. 5 is a sequence diagram for explaining an operation example of the security control system when an unauthorized communication is detected.

  First, the target-type attack monitoring device 6 monitors transmission data transmitted by the terminals 8A to 8C and determines whether or not the transmission data is invalid data. When the target-type attack monitoring device 6 determines that the transmission data is illegal data, the target-type attack monitoring device 6 determines that illegal communication has been performed, and determines the IP address of the transmission terminal of the transmission data from the transmission data. Obtained as an address (step S501). Then, the targeted attack monitoring device 6 transmits an alert including the acquired IP address to the internal security control device 7 via the DMZ 12 (step S502). Hereinafter, an infected terminal that is a terminal that has transmitted unauthorized data is referred to as a terminal 8A, and the terminal 8A is referred to as an infected terminal 8A.

  When the communication unit 701 of the internal security control device 7 receives the alert, the communication unit 701 transmits the alert to the control unit 703. Upon receiving the alert, the control unit 703 acquires the IP address of the infected terminal from the alert, and sends an isolation instruction including the IP address to the asset management server via the communication unit 701, DMZ 12, FW device 3, and external network 11. 1 (step S503).

  When the server communication unit 101 of the asset management server 1 receives the isolation instruction, the server communication unit 101 transmits the isolation instruction to the management unit 102. When receiving the quarantine instruction, the management unit 102 acquires the IP address of the infected terminal from the quarantine instruction. The management unit 102 sends a quarantine command based on the quarantine instruction excluding the IP address to the infected terminal 8A specified by the acquired IP address of the infected terminal, the server communication unit 101, the external network 11, and the FW device 3 And it transmits via the internal network 13 (step S504).

  Upon receiving the isolation command, the terminal communication unit 801 of the infected terminal 8A transmits the isolation command to the processing unit 803. When receiving the isolation command, the processing unit 803 executes isolation processing (step S505). Note that the type of isolation processing performed by the processing unit 803 may be preset in the processing unit 803, or may be a type indicated by type information included in the isolation command. Further, the processing unit 803 executes a preset isolation process when the type information is not included in the isolation command. If the type information is included in the isolation command, the processing unit 803 isolates the type indicated by the type information. Processing may be executed.

  When the quarantine process is completed, the processing unit 803 transmits a quarantine process result notification indicating the process result of the quarantine process to the asset management server 1 via the terminal communication unit 801, the internal network 13, the FW device 3, and the external network 11. (Step S506).

  When the server communication unit 101 of the asset management server 1 receives the isolation process result notification, the server communication unit 101 transmits the isolation process result notification to the management unit 102. Upon receiving the quarantine processing result notification, the management unit 102 adds the IP address of the transmission source of the quarantine processing result notification as the IP address of the infected terminal 8A to the quarantine processing result notification, and adds the quarantine processing result notification including the IP address, The data is transmitted to the internal security control device 7 via the server communication unit 101, the external network 11, the FW device 3, and the DMZ 12 (step S507).

  When the communication unit 701 of the internal security control device 7 receives the isolation process result notification, the communication unit 701 transmits the isolation process result notification to the control unit 703. Upon receiving the quarantine processing result notification, the control unit 703 confirms whether the quarantine processing result notification indicates success of the quarantine processing, and performs processing according to the confirmation result (step S508). Here, when the quarantine processing result notification indicates that the quarantine processing has failed, the control unit 703 acquires the contact information of the administrator from the storage unit 702, transmits a quarantine error notification to the acquired contact information, and performs processing. finish.

  Hereinafter, a case where the quarantine process result notification indicates the success of the quarantine process will be described in detail. FIG. 6 is a sequence diagram for explaining an operation example of the security control system when the quarantine process result notification indicates the success of the quarantine process in step S508.

  When the quarantine process result notification indicates that the quarantine process is successful, the control unit 703 acquires authentication information from the storage unit 702 and sends a removal program request including the authentication information to the communication unit 701, DMZ 12, FW device 3, and external network. 11 is transmitted to the removal program providing device 2 via step 11 (step S601).

  Upon receipt of the removal program request, the removal program providing device 2 compares the authentication information in the removal program request with the stored authentication information, and authenticates the internal security control device 7 that is the transmission program request source. To do. Here, it is assumed that the authentication is successful. In this case, the removal program providing device 2 transmits the stored removal program to the internal security control device 7 via the external network 11, the FW device 3, and the DMZ 12 (step S602).

  When the communication unit 701 of the internal security control device 7 receives the removal program, the communication unit 701 transmits the removal program to the control unit 703. Upon receiving the removal program, the control unit 703 stores the removal program in the storage unit 702 and generates a URL indicating the storage location. Then, the control unit 703 sends a removal instruction including the generated URL and the IP address in the quarantine processing result notification received in step S508 via the communication unit 701, DMZ 12, FW device 3, and external network 11 to the asset management server. 1 (step S603).

  Upon receiving the removal instruction, the server communication unit 101 of the asset management server 1 transmits the removal instruction to the management unit 102. When receiving the removal instruction, the management unit 102 acquires an IP address from the removal instruction. The management unit 102 sends a removal command based on the removal instruction excluding the IP address to the infected terminal 8A specified by the acquired IP address, the server communication unit 101, the external network 11, the FW device 3, and the internal network. 13 is transmitted (step S604).

  Upon receiving the removal command, the terminal communication unit 801 of the infected terminal 8A transmits the removal command to the processing unit 803. When the removal command is received, the processing unit 803 acquires a URL from the removal command, sends a removal program request to the internal security control device 7 indicated by the URL, the terminal communication unit 801, the internal network 13, and the FW device 3. And it transmits via DMZ12 (step S605).

  Upon receiving the removal program request, the communication unit 701 of the internal security control device 7 transmits the removal program request to the control unit 703. Upon receiving the removal program request, the control unit 703 acquires the removal program from the storage unit 702, and transmits the removal program to the infected terminal 8A that is the transmission source of the removal program request, the communication unit 701, DMZ12, and FW device. 3 and the internal network 13 (step S606).

  Upon receiving the removal program, the terminal communication unit 801 of the infected terminal 8A transmits the removal program to the processing unit 803. When receiving the removal program, the processing unit 803 stores the removal program in the terminal storage unit 802, and executes the removal process by developing the stored removal program in a RAM (not shown) and executing it (Step S803). S607).

  When the removal process ends, the processing unit 803 transmits a removal process result notification indicating the result of the removal process to the asset management server 1 via the terminal communication unit 801, the internal network 13, the FW device 3, and the external network 11. (Step S608).

  Upon receiving the removal process result notification, the server communication unit 101 of the asset management server 1 transmits the removal process result notification to the management unit 102. Upon receiving the removal process result notification, the management unit 102 adds the IP address of the removal process result notification as the IP address of the infected terminal 8A to the removal process result notification, and sends the removal process result notification to which the IP address is added. The data is transmitted to the internal security control device 7 via the server communication unit 101, the external network 11, the FW device 3, and the DMZ 12 (step S609).

  Upon receiving the removal process result notification, the communication unit 701 of the internal security control apparatus 7 transmits the removal process result notification to the control unit 703. Upon receiving the removal process result notification, the control unit 703 confirms whether the removal process result notification indicates non-detection of a malicious program or success of the removal process. Here, it is assumed that the removal process result notification indicates that a malicious program has not been detected. In this case, the control unit 703 transmits an isolation release instruction including the IP address in the removal process result notification to the asset management server 1 via the communication unit 701, the DMZ 12, the FW device 3, and the external network 11 (step S610). .

  When the removal process result notification indicates that the malicious program has been detected and the removal process has failed, the control unit 703 acquires the administrator's contact information from the storage unit 702 and transmits a removal error notification to the acquired contact information. Then, the process ends. In addition, the control unit 703 transmits an isolation instruction including type information indicating a predetermined isolation process (specifically, driver deletion process) as the isolation process type to the infected terminal 8A via the asset management server 1. Also good. In this case, the driver deletion process is executed as the isolation process in the processing unit 803 of the infected terminal 8A. For this reason, it becomes possible to isolate infected terminal 8A more reliably. Further, when the removal process result notification indicates that the malicious program has been detected and the removal process has been successful, the process of step S610 may be performed as in the case where the removal process result notification indicates that the malicious program has not been detected. Processing may be performed in a case where the result notification indicates that the malicious program has been detected and the removal process has failed.

  When the server communication unit 101 of the asset management server 1 receives the isolation release instruction, the server communication unit 101 transmits the isolation release instruction to the management unit 102. Upon receiving the quarantine release instruction, the management unit 102 acquires an IP address from the quarantine release instruction. The management unit 102 sends a quarantine release command based on the quarantine release instruction excluding the IP address to the infected terminal 8A specified by the acquired IP address, and the server communication unit 101, the external network 11, the FW device 3, and Transmission is performed via the internal network 13 (step S611).

  Upon receiving the isolation release command, the terminal communication unit 801 of the infected terminal 8A transmits the isolation release command to the processing unit 803. When receiving the isolation release command, the processing unit 803 executes isolation release processing (step S612).

  When the quarantine release process ends, the processing unit 803 sends a release process result notification indicating the process result of the quarantine release process to the asset management server 1 via the terminal communication unit 801, the internal network 13, the FW device 3, and the external network 11. Transmit (step S613).

  Upon receiving the release processing result notification, the server communication unit 101 of the asset management server 1 transmits the release processing result notification to the management unit 102. Upon receiving the release processing result notification, the management unit 102 adds the IP address of the release processing result notification as the IP address of the infected terminal 8A to the release processing result notification, and sends the release processing result notification to which the IP address is added. The data is transmitted to the internal security control device 7 via the server communication unit 101, the external network 11, the FW device 3, and the DMZ 12 (step S614).

  Upon receiving the release process result notification, the communication unit 701 of the internal security control device 7 transmits the release process result notification to the control unit 703. Upon receiving the release process result notification, the control unit 703 confirms whether or not the release process result notification indicates the success of the quarantine release process (step S615). If the isolation release process is successful, the control unit 703 ends the process. On the other hand, if the quarantine release process has failed, the control unit 703 acquires the administrator's contact information from the storage unit 702, transmits a release error notification to the acquired contact information, and ends the process.

  As described above, according to the present embodiment, the communication unit 701 of the internal security control device 7 receives the IP address that identifies the infected terminal 8A that has performed unauthorized communication. The control unit 703 instructs the infected terminal 8 </ b> A specified by the IP address received by the communication unit 701 to execute isolation processing for isolation from the internal network 13. In addition, the terminal communication unit 801 of the infected terminal 8A receives an instruction to execute the quarantine process. When the terminal communication unit 801 receives the instruction, the processing unit 803 executes the isolation process.

  Accordingly, since the isolation process for isolating from the internal network 13 is performed by the infected terminal 8A itself that has performed unauthorized communication, the administrator does not go to the installation location of the infected terminal 8A and information other than the infected terminal 8A. It is possible to block unauthorized communication by the infected terminal 8A without blocking communication of the processing device. Therefore, detailed security control can be performed while reducing the burden on the administrator, and security is enhanced.

Next, a second embodiment will be described.
In the present embodiment, the control unit 703 of the internal security control device 7 determines the type of quarantine process according to the number of alerts received by the communication unit 701, that is, the number of receptions of the IP address of the infected terminal 8A.

  For example, the storage unit 702 stores, for each IP address, control information indicating the number of times alerts including the IP address are received. Each time the communication unit 701 receives an alert, the control unit 703 increments the number of receptions corresponding to the IP address included in the alert. Then, the control unit 703 determines the type of isolation processing according to the incremented number of receptions. Specifically, the control unit 703 executes isolation processing with higher isolation strength as the number of receptions increases. For example, when the number of receptions is 1, the control unit 703 designates a restriction process as the isolation process, and when the number of receptions is 2 or more, the control unit 703 designates a deletion process as the isolation process. In addition, the control unit 703 designates a restriction process as the isolation process when the number of receptions is one, designates a deletion process when the number of receptions is two, and designates a deletion process when the number of receptions is three or more. May be executed.

  Further, the number of receptions may be the number of times an alert has been received in a predetermined period. In this case, for example, if the control unit 703 receives an alert during a period from when the isolation process result notification indicates that the isolation process is successful until the removal process result notification is received, the control unit 703 increments the reception count.

  As described above, according to the present embodiment, since the type of the quarantine process is determined according to the number of times the alert is received, even if a certain quarantine process cannot block unauthorized communication, another quarantine process is performed. Since it is possible to block unauthorized communication using, more accurate security control is possible.

  In each embodiment described above, the illustrated configuration is merely an example, and the present invention is not limited to the configuration.

  For example, the function of each device of the security control system records a program for realizing the function on a computer-readable recording medium, and causes the computer to read and execute the program recorded on the recording medium. That may be realized.

  Further, although the asset management server 1 is arranged on the external network 11, it may be arranged on the DMZ 12 or the internal network 13. Although the proxy server 4, the restricted proxy server 5, the targeted attack monitoring device 6, and the internal security control device 7 are arranged on the DMZ 12, they may be arranged on the internal network 13. Further, the quarantine instruction, the removal instruction, and the quarantine release instruction may be transmitted directly from the internal security control device 7 to the infected terminal without going through the asset management server 1. Similarly, the quarantine processing result notification, the removal processing result notification, and the release processing result notification may be directly transmitted from the infected terminal to the internal security control device 7 without going through the asset management server 1.

  Further, the terminals 8A to 8C may acquire the removal program from the removal program providing apparatus 2. In this case, the control unit 703 of the internal security control device 7 transmits a removal instruction including the URL indicating the removal program providing device 2 to the infected terminal 8A without transmitting a removal program request.

DESCRIPTION OF SYMBOLS 1 Asset management server 2 Disinfecting program provision apparatus 3 FW apparatus 4 Proxy server 5 Restriction proxy server 6 Targeted attack monitoring apparatus 7 Internal security control apparatus 8A-8C terminal 11 External network 12 DMZ
13 internal network 101 server communication unit 102 management unit 701 communication unit 702 storage unit 703 control unit 801 terminal communication unit 802 terminal storage unit 803 processing unit

Claims (11)

A communication unit that receives identification information that identifies an unauthorized device that has performed unauthorized communication among information processing devices connected to a monitored network; and
And a control unit that transmits a quarantine instruction that instructs execution of a quarantine process for quarantine from the network to an unauthorized device specified by the identification information received by the communication unit. The isolation instruction has a type of isolation processing to be executed by the unauthorized device,
The security device according to claim 1, wherein the control unit determines the type of the quarantine process according to the number of receptions of identification information for identifying the unauthorized device by the communication unit. The communication unit receives a notification indicating a processing result of the quarantine process from the unauthorized device;
The control unit provides a removal program for removing an unauthorized program, which is a program for performing unauthorized communication, to the unauthorized device when the processing result indicates a success of the isolation process, and the unauthorized program performs the unauthorized program. The security control apparatus according to claim 1, wherein a removal instruction that instructs execution of a removal process for removing a program is transmitted. The communication unit receives a notification indicating a processing result of the removal process from the unauthorized device,
The control unit instructs the unauthorized device to execute a predetermined isolation process different from the isolation process instructed by the isolation instruction when the process result of the removal process indicates a failure to delete the malicious program. The security device according to claim 3, wherein the security instruction is transmitted. The communication unit receives a notification indicating a processing result of the removal process from the unauthorized device,
The control unit, when the processing result indicates successful removal of the unauthorized program, transmits to the unauthorized device an isolation release instruction that instructs execution of an isolation release process for releasing isolation from the network. The security device according to claim 3 or 4. A security control system including an information processing device connected to a monitored network and a security control device that controls security of the network,
The security control device
A communication unit that receives identification information for identifying an unauthorized device that performed unauthorized communication among the information processing devices connected to the network;
A control unit that transmits a quarantine instruction that instructs execution of a quarantine process for quarantine from the network to an unauthorized device identified by the identification information received by the communication unit;
The information processing apparatus includes:
A receiving unit for receiving the isolation instruction;
A security control system comprising: a processing unit that executes the isolation process when the reception unit receives the isolation instruction.   The security control system according to claim 6, wherein the processing unit executes a change process for changing proxy setting information indicating a proxy server that relays communication of the unauthorized device to predetermined information as the isolation process.   The security control system according to claim 6 or 7, wherein the processing unit executes a driver deletion process for deleting a network driver as the isolation process. The isolation instruction has a type of isolation processing to be executed by the unauthorized device,
The security control system according to any one of claims 6 to 8, wherein the processing unit executes a type of isolation processing in the isolation instruction. Receiving identification information for identifying an unauthorized device that has performed unauthorized communication among information processing devices connected to a monitored network; and
Transmitting a quarantine instruction for instructing execution of a quarantine process for quarantine from the network to an unauthorized device specified by the received identification information. On the computer,
A procedure for receiving identification information for identifying an unauthorized device that has performed unauthorized communication among information processing devices connected to a monitored network;
A program for causing a fraudulent device specified by the received identification information to execute an isolation instruction for instructing execution of an isolation process for isolation from the network.

Images